These are the steps to take to be an effective DPO

Five years ago, companies were arguing against adopting the CIO role, which has now become acknowledged as important in the big data world. Fast forward to 2017 and the position up for debate is the DPO, or data protection officer – but the GDPR clearly favours one side of the argument.

Appointing a DPO is mandatory for public authorities and companies processing ‘large amounts’ of personal data. It is common for the DPO to be in charge of all aspects of data privacy, and Matthew Kay – who holds the group DPO position at Balfour Beatty – spoke at Computing’s recent GDPR IT Leaders Forum about some of the key steps to take towards compliance.

A DPO must focus on accountability; not only their own, but all members of the organisation. They are in charge of governance (“A DPO doesn’t need to be in the boardroom, but does need access to it,” Kay said), policies (“Not many people read them, but you need them – especially a breach notification policy”) and ensuring that full- and part-time contracts are robust in terms of the GDPR.

Ensuring that staff training includes the regulation is important part of the DPO’s role. Kay doesn’t try to teach employees every article in the GDPR, but does make sure that they are aware of how it applies to them and how they can avoid breaking it. “You need to ensure that people know it’s an ongoing concern,” he said, and added that he makes sure that people in Balfour Beatty can contact him to escalate concerns. “I know my phone will ring a lot, but it’ll ring a lot more if we get breached and I didn’t know about it.”

Finally, Kay focuses on staff awareness by publishing blogs and putting posts on Yammer. He also said that the DPO needs to be independent, but acknowledged that that is difficult to achieve when s/he is employed by the company.

The million dollar question

‘Where should you be now, and where can you expect to be in 2018?’ is the most important question for every business. Kay stressed the importance of appointing a DPO sooner, rather than later:

“You need to start now if you haven’t started already… The more you can do now the better, and it needs to be continued [after the 25th of May].” The regulation is more like a new headmaster starting whom everyone hates, rather than an Ofsted inspection that is over and done with in a few days.

However, he said – reiterating a point from Steve Norledge‘s keynote speech – “You absolutely shouldn’t be going quick and dirty; you need to take time and work out what you’re doing, but don’t just sit around a table and talk about it.”

Central to all of the above is – of course – the DPO, and a good one must demonstrate three key skills:

Key relationships – with the board and other employees, like security and technical staff. Kay stressed that the DPO shouldn’t be in the boardroom themselves, because that risks being too hands-off: “You must be the driver.”